Methods of virus detection

And their limitations

By- Umakant Mishra, Bangalore, India

umakant@trizsite.com, http://umakant.trizsite.com

Contents
1. Introduction .....................................................................................................1
2. Popular methods of virus detection..............................................................3
2.1 Simple signature scanning ..........................................................................3
2.2 Generic signature scanning.........................................................................4
2.3 Integrity checking ........................................................................................4
2.4 Heuristic scanning .......................................................................................5
2.5 Behavior monitoring ....................................................................................7
2.6 Generic scanning ........................................................................................7
2.7 Resident scanning.......................................................................................7
3. Limitations of conventional scanning methods...........................................8
3.1 Time lag between virus creation and detection ...........................................8
3.2 Problem of updating signature database.....................................................9
3.3 Limitations of signature scanning ..............................................................10
3.4 Burden of scanning time and resource......................................................11
3.5 Limitations of integrity checking.................................................................12
3.6 Limitations of static heuristic scanning ......................................................12
3.7 Limitations of emulation technique ............................................................13
3.8 Vulnerability of anti-virus programs ...........................................................13
3.9 Other problems in scanning.......................................................................14
4. Summary .......................................................................................................14
Glossary: ...........................................................................................................15
Reference: .........................................................................................................15

1. Introduction
Computer viruses are manmade destructive computer programs which are
intentionally made to infect computer systems and cause trouble for innocent
computer users. A computer virus is generally loaded onto a computer system
without the knowledge of a user. It causes unauthorized and unwanted changes
to the components of the computer or to the information stored on the computer.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic
Electroniccopy
copyavailable
availableat:
at:https://ssrn.com/abstract=1916708
http://ssrn.com/abstract=1916708
The creation of viruses started during mid 1980’s, when the use of PCs started to
grow for businesses and homes. As the computer games were very popular, and
applications like word processors and spreadsheets were of high demand, the
viruses were spreading by attaching themselves to those games and programs.
As the floppies were predominantly used for data transfer, the virus makers were
creating viruses revolving around the floppy usage.

Later in 1995 a new type of virus, called macro virus, came into picture. These
viruses are called macro viruses as they are written in macro languages. Macros
are small executable programs which are included in document files like
Microsoft word. These later day viruses spread mainly through emails and
Internet. Obviously the later day viruses are more intelligent and powerful. (Note:
read more on viruses in “Introduction to Computer Viruses” published in this
month.)

While the viruses intend to spread and do destructive operations on our

computers, the anti-virus programs intend to prevent the viruses from doing so.
The anti-virus programs have now become essential for every computer. Anti-
virus software does several important functions like, virus prevention and file
protection, virus scanning and detection, removing virus from infected files and
recovering damaged files and objects.

The most important function of an anti-virus program is to protect the computer

from any type of attack by any type of computer viruses, computer worms, Trojan
horses, spyware, adware and other malware. When an external storage device,
such as, CD, DVD, pen drive etc., is connected to the computer, the resident
anti-virus immediately scans the connected media and ensures that no virus
transmit from that media to the computer. The anti-virus software also protects
the computer from viral threats coming from LAN, WAN or Internet.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic
Electroniccopy
copyavailable
availableat:
at:https://ssrn.com/abstract=1916708
http://ssrn.com/abstract=1916708
When we install an anti-virus it first scans the main memory of the computer and
then all external storage devices to detect presence of any virus. If any virus is
detected, the anti-virus tries to remove the virus and restores the infected file to
its original stage. If the file is too much damaged by the virus then the anti-virus
may decide to delete the infected file. (Note: read more on virus scanners in
“Introduction to Virus Scanners” published in this month.)

2. Popular methods of virus detection

One of the most important functions of any anti-virus program is to detect the
presence of any virus in a computer system. Once a virus is detected, the anti-
virus program typically informs the user about the detection of the virus. Since
the virus often writes its code into the program at several different locations the
anti-virus tries to remove the virus codes and restore the original program.

An anti-virus program uses various methods for detecting viruses. As the

characteristics of different viruses are different their detection methods are also
different. All types of viruses cannot be detected by any single method. The
popular methods used by the anti-virus programs for detecting viruses are as
follows:

⇛ Signature scanning
⇛ Integrity checking
⇛ Heuristic scanning
⇛ Emulations
⇛ Activity monitoring

2.1 Simple signature scanning

Simple computer viruses copy themselves to each executable file they infect.
These types of viruses replicate an identical copy of themselves byte-by-byte
each time they infect a new file. They can be easily detected by searching a
specific string of bytes, called “virus signature”, that has been extracted from the
body of the virus.

A virus signature is a sequence of bytes that may be found in a virus program

code but unlikely to be found anywhere else. Extracting a “virus signature” is a
skillful job. An anti-virus researcher must analyze the virus body carefully in order
to extract the virus signature. When a new virus appears, a human expert has to
analyze the infected file and find the pattern or “signature” of that virus.

After finding signatures of different viruses the signatures are stored in a

signature database of the anti-virus program. This signature database is
distributed to the customers along with the anti-virus program. The anti-virus

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

program uses those signatures to scan each vulnerable area of a computer -
including executable files, boot records, document files with macros etc. - to
detect the presence of any of those signatures. If any of those signatures is
found then the target program is deemed infected, otherwise the target program
is considered uninfected.

2.2 Generic signature scanning

Although signature scanning is a simple and sure sort method, it has a limitation
that it can detect only the known viruses whose signatures are already extracted
and included in the virus signature database. It cannot detect other variants of a
known virus although the differences between their signatures are very minor.

In contrast, a generic signature uses the pattern found in a family of viruses. This
is a quicker method to detect all the viruses belonging to the same family. This
method works, as most viruses are not originally programmed rather created by
modifying the code of previously existing viruses. In such cases a lot of
similarities are found between the main virus and its variants. The generic
signatures use various wildcards to detect all the variants of a virus family. This
method is also capable of detecting new and future viruses of the same family. A
generic signature scanning is also called as heuristic signature scanning.

2.3 Integrity checking

Integrity checking is another method of detecting viruses. The method detects
the existence of viruses by comparing the hash values of a file with the hash
value of its uninfected version. If no difference is found between the two hash
values then the file is deemed to be uninfected.

An integrity checker generally keeps a small “checksum” or “hash value” or

“snapshot” or “fingerprint” of uninfected programs (such as, executables, boot
records etc.) in a secured location in the beginning when they are presumably
uninfected. During integrity checking, the integrity checker recalculates the new

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

fingerprints of the programs and compares those with their original fingerprints. If
both the fingerprints match then the files are assumed to be unmodified and
hence deemed to be uninfected. If they don’t match then the anti-virus program
has to use further intelligence to determine whether the modification is “virus-like”
or user-induced.

Logic behind integrity checking

Integrity checking works because the viruses must make changes to their host
programs. In other words, no virus can infect a host program without modifying
its code. This situation creates a difference between the hash of the uninfected
file and the infected file. However, the integrity checking does not work if the
computer is not virus-free when the programs are first fingerprinted.

Advantages of integrity checking

As the integrity checking doesn’t use virus signatures, it can be used to detect
any kind of viruses, including new and unknown viruses. Besides passing
through an integrity check is much faster than passing through a signature scan.
As with signature scanners, integrity checkers can also be used to check the
entire disk or can be resident to check each program that is about to be
executed. Integrity checking is called as "inoculation" by the commercial Norton
Anti-Virus product from Symantec Corp.

Application of integrity checking

The method of integrity checking is adopted not only by the virus scanners but
also by other security systems. Some CMOS BIOS systems have a setting to
monitor the changes in boot records. Windows 2000 and XP systems check their
system files during booting as part of their System File Checker (SFC)
mechanism. Some operating systems keep a backup of their core system files in
secrete locations and role back the files when found damaged or infected.

2.4 Heuristic scanning

Heuristic scanning is another method of virus detection that is neither signature
based nor integrity based. A heuristic anti-virus program examines a target
program (executable file, boot record, or possibly document file with a macro)
and analyzes its program code to determine if the code appears virus-like. In
other words, a heuristic engine detects the commands within a program that are

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

not found in typical application programs, such as, the replication mechanism of
a virus, the distribution routine of a worm or the payload of a Trojan. If the target
program's code appears virus-like, then scanner reports a possible infection.

As the heuristic method does not use virus signatures it can detect new and
unknown viruses that have not yet been analyzed by antivirus researchers.
Because the heuristic technique does not use integrity information, it does not
require the fingerprints of programs to be taken and saved when the computer is
in a known clean state.

Types of heuristics detection

⇛ Code anomaly detection – heuristic scanning looks for certain codes or
commands within a program that are not found in typical application
programs, such as the replication mechanism of a virus, the distribution
routine of a worm or the payload of a Trojan.
⇛ Protocol anomaly detection – for example the applications using TCP/IP
protocols use certain model rules. If the scanner detects any deviation
from the standards, then it suspects the possibility of a network based
intrusion.
⇛ Mixed heuristic detection – nowadays all anti-viruses follow a combination
of various heuristic detection methods along with generic detection
methods in order to authenticate detection and avoid false positives.

Static and Dynamic heuristic detection

Heuristic virus detection method can be classified as either static or dynamic.
The primary difference between these two detection schemes is that the dynamic
method uses CPU emulation while the static method does not.

In static heuristic virus detection, the antivirus program searches the instructions
of a target program for sequences of instructions that perform operations typically
used by viruses. Unlike virus signatures, these sequences are not designed to be
specific to a single virus. Instead, they are meant to be as general as possible in
order to detect the operation of many different viruses.

For example, if the static heuristic antivirus program finds a file open operation,
followed by file read and write operations, and also finds a string "VIRUS" in the
program, it may report that the file is infected by an unknown virus. Static
heuristic detection is generally fast and often performed before CPU emulation.

On the other hand, the dynamic heuristic detection uses an emulation based
technology which loads the target program into a software-based CPU emulator.
The CPU emulator acts as a simulated virtual computer. The program is allowed
to execute freely within this virtual computer. As the target program is emulated,
its virus-like operations are identified and catalogued. From this catalog of virus

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

like operations, the antivirus program determines if the target program looks like
a virus.

As the conventional signature scanning does not work for polymorphic and
metamorphic viruses, many anti-virus programs use an emulation-based
technology to detect those viruses. This method also works for encrypted
viruses.

2.5 Behavior monitoring

The method of behavior monitoring tries to detect virus type activity, such as,
attempts to reformat a disk, which is generally not the activity of a common
program. In another case a program may try to move a file into one of the
operating system folders. These actions are immediately flagged by this method
of behavior monitoring.

However behavior monitoring is not different from the above-mentioned methods.

Behavior monitoring is a broad concept which includes techniques like heuristic
scanning, CPU emulation and other generic detection methods.

2.6 Generic scanning

The methods of virus scanning may be classified as specific methods (to detect
specific viruses or specific type of viruses) and generic methods (to detect a virus
of whatever type). A signature scanning is a specific method, whereas, integrity
checking, heuristic scanning, behavior monitoring etc. are all generic methods.
The generic methods may include:

⇛ Verification of program size

⇛ Verification of checksum or fingerprints
⇛ Verification of revision information
⇛ Verification of disk address
⇛ Verification of object program
⇛ Verification of object program by using compression and decompression

2.7 Resident scanning

A scanning can be either on-demand or on-access scanning. On demand
scanning is generally offline scanning. The user has to click on a button to start a
scanning operation or schedule the scanning operation later during non-
bussiness hours. While on-demand scanning is capable of detecting viruses it
does not prevent viruses from infecting other files.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

On the other hand, an on-access scanning is triggered at the time when a file is
accessed or a program is executed. On-access scanning is done by a resident
scanner automatically when a file is accessed for copying, editing or other such
purposes. The resident scanner runs as a memory resident module and triggers
a scan event to scan the file on the fly before it is accessed. This method
provides a valuable protection as it catches the virus infections on a real time
basis and prevents the virus from infecting other files inside the system.

3. Limitations of conventional scanning methods

In the above paragraphs we discussed about various methods of virus scanning.
But each of these methods has its strengths and weaknesses. Signature
scanning is an easy and definite method for detecting known specific viruses, but
it does not work for new or unknown viruses. Generic methods may detect new
viruses but may not cure the infected files. The following are some important
drawbacks faced by conventional scanning methods.
3.1 Time lag between virus creation and detection
One of the worst drawbacks of signature scanning is the time lag between virus
creation and virus detection. As the method requires the process of detecting the
signature, distributing the signature files to the customers world wide and using
the new signature database for scanning, a new virus can easily spread and
cause damage during that period without being detected.

Because of this time gap between virus creation and possible detection, the new
viruses, which are not included in the virus definition database, are not
detectable by this method. If the gap is more then there is more possibility of
creation and spreading of new viruses.

Overcoming limitations:
⇛ The anti-virus companies may adopt various methods, (such as, using
automated techniques to extract signatures, submitting virus instances by
the customers, etc.) to reduce this time lag between creation of viruses
and distribution of their signatures.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

 ⇛ The above drawback of signature scanning may be overcome by using
generic methods of virus detection, such as, heuristic scanning, CPU
emulation and integrity checking.

3.2 Problem of updating signature database

A signature-scanning engine is of no use without a virus signature database. The
scanning engine has to refer the signature database in order to scan the files.
Unfortunately updating the signature database is not a onetime phenomenon, it
has to be updated time and again on a regular basis. Updating the signature
database is very critical because only the viruses whose signatures have already
been determined and stored in the signature database can be detected during
signature scanning.

Now what exactly is the problem of updating the signature database? The
signature database has to be updated by both the anti-virus company and the
anti-virus user. The anti-virus company may do it for a commercial objective, but
the end user must go through this pain just to stay safe from viruses. If the
signature database is not updated then a full scanning even does not guarantee
that the computer is free from viruses.

As new viruses are created almost on everyday, the anti-virus companies

continually discover new viruses and update their definition files on a regular
basis. Over time, the size of these data files become very large and takes
excessive amount of time to download. This situation becomes worse especially
in slow and unreliable Internet connections.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

Overcoming limitations:
⇛ An automatic update is a common technique adopted at the client
machine to check and download the new updates from the anti-virus
developers website.

3.3 Limitations of signature scanning

⇛ As we discussed above the method of signature scanning can detect only
the known viruses whose signatures have been included in the virus
definition database. It cannot detect any unknown virus.
⇛ Besides, there are certain types of viruses, such as, plymorphic and
metamorphic viruses, which change their instructions in the viral body with
each infection. As they don’t have static strings, they often cannot be
detected by signature scanning.
⇛ In a generic signature scanning, wild cards are used in the signatures to
scan multiple viruses of the same family. But this may not always work, as
the new viruses of the same family may not fall within the scope of the
detected wild card. In such a case the new virus may pass the virus test.
⇛ Extracting virus signatures is a highly skillful job. The anti-virus
researchers have to have knowledge on various languages and
programming environments. The boot sector viruses are written in
assembly languages where are most windows viruses are written in c/c++
or Delphi or VB or VBA. Some are also written in Java and JavaScript.
The researchers must understand lower level languages as well as higher
level languages including internal functions of operating systems.

Overcoming limitations:
⇛ The job of analyzing virus characters and extracting virus signatures can
be expedited by using automated techniques (TRIZ Principle-25: Self
Service). Human researchers may analyze the code only if a potential
virus is unable to be handled by the automated systems.
⇛ Scanning generic signatures can detect unknown viruses. Not all viruses
are created originally. Many virus writers modify the codes of other viruses
and create dozens of similar viruses. In such cases, the anti-virus
researchers try to find the common signatures which can detect all the
viruses in a family share, instead of finding individual signatures for each
single breed.
⇛ The polymorphic, metamorphic and other such viruses, which cannot be
detected by signature scanning, can be detected by using other methods
like, behavior monitoring and Integrity checking (TRIZ Principle-6:
Universality).

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

3.4 Burden of scanning time and resource
As the number of viruses increase, the number of their signatures also increases.
This situation increases the size of the signature database and increases the
scanning time. With thousands of possible virus types and hundreds of gigabytes
of file storage, a scanning operation often exceeds the acceptable limits.

If a scanner includes less number of algorithms then there is

possibility of some viruses being escaped. On the other hand
if the scanner includes all possible methods then the scanning
process will become unbearably slow.
We want to include all possible methods to detect all types of
viruses, but at the same time we don’t want the scanning time
to take long.

Overcoming limitations:
⇛ One of the techniques to improve scanning speed is by scanning only
those viruses according to the type of files. For example, a boot sector
signature would not be used to scan a macro file. This method reduces
the total number of search operations and reduces the scanning time.
⇛ Another technique is to scan only the specific area of a file instead of
scanning the whole file. For example, depending on the file type, such as,
.com or .doc, the scanners can decide which areas of the file are more like
to contain a virus. This method avoids the scanner to search through the
complete file looking for infection.
⇛ Patent 5684875 (invented by Hans Ellenberger, Nov 1997) suggests not
to run all the detection algorithms at a time which could take long time to
scan. It suggests to select only one or a few algorithms to run each time
the scanner is loaded, either randomly or by some other selection criteria.
Even if a virus could not be detected by a few of these detection
algorithms, the chance for its survival is very low as it could be detected
by another algorithm.
⇛ Patent 7036147 (invented by Hursey, assignee McAfee, April 2006)
discloses a method of accelerated scanning by assigning the scanning job
to two different threads. The invention executes two threads in parallel, a
first thread to read the data and a second thread for scanning the data.
The first thread of operation is executed in parallel with the second thread
in such that while a first portion of the data is being scanned, a second
portion of the data to be scanned is being read and cached. This method
avoids the delay caused by disk read operations.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

3.5 Limitations of integrity checking
⇛ Comparing the checksum or CRC is effective if the program is stored in
the hard disk. But if a program is read or executed from a floppy disk or
CD then the method does not work. As the uninfected fingerprints are not
available for files in floppies or CDs or pen drives, the checksum method
cannot detect whether the files residing in those kinds of media are
infected or not.
⇛ Integrity checking is of no use if the computer is already infected at the
time when the programs are first fingerprinted. In such situations the
computer will be inoculated with virus-infected files and create a safe
haven for viruses to infect other programs.
⇛ When a change in a program is detected by integrity checking, it is often
difficult for the antivirus program to determine whether the change was
induced by a virus or induced by a user. For instance, the user may
update a program by installing a new version or copying an updated file –
which may lead to a false positive. Even if the antivirus program may ask
the user to take a decision in this regard, many users may not be
knowledgeable enough to determine whether the changes are genuine or
virus induced.
⇛ Integrity checking is suitable only for the files that never change over a
period of time. The method does not work for documents or data files
which are frequently modified by the user. Besides the method is suitable
only for a limited number of files (such as, system files and critical files) as
it requires lot of backup storage space.

3.6 Limitations of static heuristic scanning

Although static heuristic detection programs can be relatively fast, they may
recognize only some of the numerous different ways of performing various virus-
like operations. For example, different viruses may open files by using different
codes and different methods. In such cases the static heuristic detection
mechanism must look for a large number of different ways each virus-like
operation may be implemented in order to reliably detect a virus-like behavior.

As a static heuristic detection needs a database covering large number of

possible permutations of such operations the situation may eventually become
unmanageable. This problem will be particularly acute if a virus writer writes a
"virus generator" program which generates thousands of viruses at a time,
permuting the order of its sections of code, but not changing its effective
behavior. Such a multitude of viruses would be very difficult to deal with static
heuristic detection programs.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

3.7 Limitations of emulation technique
Although a dynamic heuristic technique is superior in detecting virus-like
operations, there are many problems in its implementation.
⇛ Some cases may require extensive emulation before the virus-like
operations occur. For example, a virus may idle-loop 50,000 times before
executing a “file open” operation. In that case, a very large number of
instructions would have to be emulated before the file open operation is
reached. This would greatly slow down the operation of the anti-virus
program.
⇛ Second, some viruses activate only when certain arbitrary conditions are
met. For example, a virus may execute its infectious behavior on a
particular date (such as 13th of a month). If this condition is not met, a
dynamic heuristic antivirus program will not observe the infectious
behavior and will not detect the virus.
⇛ Third, the emulation method may not work well for memory resident
programs. A dynamic heuristic antivirus program begins emulation at the
main entry-point of a target program. However, the infectious viral code of
a memory resident virus is not reached via the main entry-point of its host
program. Instead, the infectious viral code is executed only when the
interrupt into which the virus is hooked is called may be by a different
program other than the infected host program.
So, even if the dynamic heuristic antivirus program emulates the infected host
program for a very long time, the infectious viral code may not be reached, and
thus the suspicious viral operations may go undetected.

3.8 Vulnerability of anti-virus programs

As the detection gets sophisticated so also the techniques of virus creation.
Many polimorphic and metamorphic viruses use anti-anti-virus techniques and
very difficult to be detected. Besides the virus makers may target the anti-virus
system in various ways. For example, the virus may remain resident in memory
and deceive the anti-virus program, paralyze crucial functions of anti-virus
program or exploit the loopholes of the anti-virus program to harm the computer.

Taking an example, some viruses produce highly compressed versions of much

larger files knowing that the anti-virus system will take enormous time and
resource to decompress that file in order to scan for the viruses within it. This
situation may use excessive physical/ virtual memory and slow down the system
if the size of the decompressed file is extremely large.

Overcoming limitations:
In order to avoid the above problem some anti-virus systems follow a time-out
mechanism to exit or abort a prolonged virus scanning operation.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

3.9 Other problems in scanning
⇛ Problem in scanning network viruses- the conventional scanners are
meant to scan the viruses on the local machine. They are not suitable for
network viruses which adopt various special techniques to travel from one
machine to another in a network.
⇛ Problem of scanning remote files- a typical virus scanner resides on the
local machine and scans the local files. But they cannot scan viruses
operating in a different machine. For example, when you are accessing a
file on a remote server, the scanner cannot scan the file residing on the
remote server.
⇛ Scanning of a computer is not possible if the machine is extremely
infected and is not able to boot from the hard disk.
⇛ Problem of false positives- No method of scanning is fool proof. Every
method of scanning is susceptible to false positives, which means, a non-
infected file may falsely be identified as containing a virus. False positives
are as destructive as false negatives.
⇛ Problem of incompatibility with application software- although anti-virus
developers do a thorough test of their products on different versions of
operating systems and other popular application software, there are
numerous other applications and device drivers which are not tested in
their lab. Hence, there are many instances of different anti-virus programs
quarantining or deleting various device drivers and thereby making the
device dysfunctional.

4. Summary
The main functions of an anti-virus program are virus prevention and file
protection, virus scanning and detection, removing virus from infected files and
recovering damaged files and objects.

An anti-virus program typically employs various strategies to detect and remove

viruses. The popular methods of detecting virus are signature scanning, heuristic
scanning and integrity checking. However each of these methods has its own
strengths and weaknesses.

Signature scanning (or searching of known virus patterns) is the most common
method of virus detection. But it cannot detect viruses whose signatures are not
available in the virus database. The other popular method is to use a heuristic
algorithm to find viruses based on common behaviors. This method can be
complex, but it has the ability to detect unknown or new viruses. Integrity
checking is another generic method but it can only be applied for specific types of
files which are not generally changed by user operations.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708

The objective of this article is to present an introduction to various scanning
methods, their strengths and limitations before going to discuss in detail about
how to solve each of these problems in subsequent articles. The study of virus
control mechanism gives rise to various questions such as:

⇛ Can a computer be fully immune to viruses?

⇛ Is it possible to have a virus neutral environment?
⇛ Can there be an effective method of scanning computers remotely?
⇛ Can macro viruses be prevented without any anti-virus software if
Microsoft will fix security flaws in Microsoft office suite?
⇛ Can using Linux desktops provide protection from majority of viruses?
⇛ Can there be an effective utilization of anti-viral viruses?

Glossary:
# Virus Signature – is a sequence of bytes that may be found in a virus
program code but unlikely to be found elsewhere.
# Heuristic scanning- the method of searching for virus like behavior.
# On-access scanning- the method of scanning a file when it is requested
for opening.
# On the fly scanning – scanning when an email or file is on the way before
it is finally opened, similar to on-access scanning.
# Virus database – the database containing information such as signatures,
behaviors and removal methods of known viruses.
# Companion viruses – viruses that spread via a file which runs instead of
the file the user intended to run and then runs the original file.
# Armoured viruses – viruses that are specifically written to make it difficult
for an antivirus researcher to find out how they work and what they do.

Reference:
1. Umakant Mishra, “An Introduction to Computer Viruses”, trizsite journal, Feb 2007,
http://www.trizsite.com/articles.

2. Umakant Mishra, “An Introduction to Virus Scanners”, trizsite journal, Feb 2007,
http://www.trizsite.com/articles.

3. US Patent 6357008, “Dynamic heuristic method for detecting computer viruses using
decryption exploration and evaluation phases”, Inventor- Nachenberg, assignee Symantec
Corporation, March 2002.

Methods of virus detection and their limitations, by Umakant Mishra http://www.trizsite.com

Electronic copy available at: https://ssrn.com/abstract=1916708